5. Problems

If you don't find your problem listed below, please submit a bug report to ssh-bugs@clinet.fi giving full details of

Version number of ssh and (if different) sshd
What you expected ssh to do
What ssh did instead (including all error messages)
The system you use (for example, the output of uname -a), and the output of config.guess.
For a compilation problem, the contents of the file config.log (generated by configure)
The compiler you used, plus any compilation flags
The output of ssh -v
The output of the sshd daemon when run in debug mode, as sshd -d

Please try the latest snapshot from


ftp://ftp.cs.hut.fi/pub/ssh/snapshots/

before reporting any bug.

5.1 ssh otherhost xclient & does not work!

No, it doesn't. Use "ssh -f otherhost xclient" instead, or "ssh -n otherhost xclient &" if you want a script to be compatible with rsh.

5.2 Ssh fails with "Resource temporarily unavailable" for Solaris

For Solaris 2.4, this s a kernel bug. Get the patch 101945-37 to fix it. Please note that at least one earlier version, 101945-36, seems to have reintroduced the bug.

If you experience the same problem with Solaris 2.5.1, upgrade to ssh 1.2.14 or later, which should have solved the problem.

5.3 Sshd hangs under Solaris 2.5!

This is a problem with the Solaris shared library code, which causes a hang with some name server functions.

Get Patch 103187-02 (for x86, 103188-02) to fix this. This problem may or may not be fixed in Solaris 2.5.1.

5.4 X11 forwarding does not work for an SCO binary with the iBCS2 emulator under Linux.

You need to set the hostname to the fully qualified domain name for this to work. Some Linux distributions set the hostname to the first part of the FQDN only.

5.5 Ssh is doing wrong things for multi-homed hosts!

Check whether gethostbyname() really returns the complete lists of possible IP addresses (you might, for example, have your system configured to search /etc/hosts first, which might contain only one of the IP addresses).

5.6 Userid swapping is broken under AIX!

This is a bug in AIX 3.2.5, reported as APAR IX38941, and fixed by patches U435001, U427862, U426915, and a few others. Contact your IBM representative for details.

5.7 ssh-keygen dumps core on Alpha OSF!

For Alpha OSF/1 1.3.2, this is due to a bug in the vendor-supplied compiler with maximum optimization.

Turn off all optimization for ssh-keygen, or use gcc. Gcc 2.7.2 is known to have problems on the Alpha, however.

5.8 ssh-keygen dumps core on Solaris or SunOS

This is a bug in gcc 2.7.0, which causes it to generated incorrect code without optimization. Supply the "-O" or "-O -g" options to gcc when compiling. Alternatively, upgrade to gcc 2.7.2.

5.9 On Linux, compilation aborts with some error message about libc.so.4

This is an incorrectly configured Linux system; do a "cd /usr/lib; ln -s libc.sa libg.sa" as root to remedy this.

5.10 X authorization sometimes fails.

This is believed to be a bug in HP-UX 9 xauth, SR 5003209619. Patch PHSS_5568 is believed to fix this problem.

If this occurs for any other platform, please mail details to ssh-bugs@clinet.fi .

5.11 Ssh asks me for passwords despite .rhosts!

There are several possibilities why this could be the case; common ones include

The client host key is not stored in the known_hosts file. Note that this has to be the canonical (usually, the fully qualified) domain name.
The client host does not have a reverse mapping in the name servers. Note that ssh requires that it has both a reverse mapping, and a forward mapping that contains the original IP address.
A multi-homed client or host does not have all of its IP addresses listed in the DNS entry. Note that versions prior to 1.2.12 have bugs in handling multi-homed hosts.
User's home directory or ~/.rhosts is world or group-writable (see StrictModes server configuration option).
On some machines, if the home directory is on an NFS volume, ~/.rhosts and your home directory may need to be world-readable.
The root account has to use ~/.rhosts or ~/.shosts; /etc/shosts.equiv and /etc/hosts.equiv are disregarded for root.
Confusion between RhostsRSAAuthentication and RSAAuthentication.
RhostsRSAAuthentication is a functional replacement for the 'r' utilities; this requires the ssh program to be setuid root, a secret key in /etc/host_key file on the client, a corresponding public key entry in /etc/ssh_known_hosts, plus entries in ~/.[sr]hosts or /etc/[s]hosts.equiv.

RSAAuthentication is done on a per-user basis and requires a ~/.ssh/identity file on the client side (to be generated with ssh-keygen), plus a matching ~/.ssh/authorized_keys on the server side.

5.12 Why does ssh loop with "Secure connection refused'?

This is a configuration problem.

Ssh attempts to fall back to the "r" commands when it cannot connect to an ssh daemon on the remote host. It does this by execing your old rsh to use the old protocol.

There are two possibilities why this could be:

You probably have installed ssh as rsh, and forgotten to give the --with-rsh=PATH option to configure the second time. When ssh is looking for rsh, it keeps executing itself (or an older version of itself). To solve this, recompile ssh with the correct place for rsh.
You moved the old rsh and rlogin into a different directory and correctly are calling the old rsh. The old rsh has a hard-coded path to the old rlogin program, so you wind up execing the old rsh which in turn execs the new replacement (ssh)rlogin.
In that case, you might want to move the old rsh and rlogin binaries into /usr/old, patch the old rsh binary by running the Perl script
```
perl -pi.orig -e 's+/usr/(bin|ucb)/rlogin+/usr/old/rlogin+g ;' /usr/old/rsh
```
which will generate a patched version of rsh and save the old one in /usr/old/rsh.orig.

Reconfigure ssh with --with-rsh=/usr/old/rsh.

5.13 ssh-agent does not work with rxvt!

rxvt closes all file descriptors when starting up, including the one used by ssh-agent. Use xterm, or look at the mailing list archives at http://www.cs.hut.fi/ssh/ssh-archive/ for Timo Rinne's rxvt patch.

5.14 X authorization always fails.

This can happen if the xauth program was not found at configure time. Correct the path, reconfigure and recompile.

5.15 ssh hangs when forwarding multiple TCP connections.

This is due to a known race condition in the ssh protocol before 1.2.13.

Some changes have been made to the protocol in 1.2.14 to prevent this. Unfortunately, these changes may also cause hangs when using TCP forwarding between 1.2.14 and earlier versions. In these cases, upgrade to 1.2.14 or later at both ends is recommended.

5.16 What does Warning: remote host denied X11 forwarding mean?

Either the remote end has disabled X11 forwarding (ForwardX11 No in the config file), or either the xauth command or the X11 libraries were not found when compiling the server.

5.17 I still see cleartext packages on the net when I run ssh!

It is very likely that you are looking at a telnet, rlogin or X session to the machine that you run ssh on. Check that those packets really are ssh packets (for example by checking their port number; sshd listens on port 22).

5.18 I have problems with RSAREF, something to do with too many bits!

This is a limitation in the RSAREF library. You should set a host key with at most 896 bits.

5.19 Compiling fails with some error messages from the assembler.

For several operating systems there were bugs in the gmp assembler routines. Try

make distclean
configure --disable-asm

to compile.

5.20 Compiling with Solaris 2.5 fails!

Set the CPP environment variable to "cc -E -Xs" before running configure.

5.21 Ssh suddenly drops connections!

This is a problem which has been reported by several people for SunOS 4, Solaris 2, Linux, and HP-UX 9 and 10, with 1.2.16 and 1.2.17. It happens with scp, when transferring large amounts of data via ssh's stdin, or when forwarding an X connection which receives a large amount of graphics data (such as a MPEG movie).

Try to apply the following patch to 1.2.16 or 1.2.17 for a fix. This is in 1.2.18 or later.

--- serverloop.c.orig   Tue Jan 21 14:38:25 1997
+++ serverloop.c.       Tue Jan 21 14:37:54 1997
@@ -405,7 +405,7 @@
                  buffer_len(&amp;stdin_buffer));
       if (len <= 0)
        {
-         if (errno != EWOULDBLOCK)
+         if ((errno != EWOULDBLOCK) &amp;&amp; (errno != EAGAIN))
            {
              if (fdin == fdout)
                shutdown(fdin, 1); /* We will no longer send. */

5.22 Connections are forwarded as root by ssh!

When a client connects, sshd forks a child that does the protocol handling, and this child forks a second child for the user shell or command. The problem is that the setuid() call to the correct user appears only in the second child, so the first child keeps running as root.

Among other potential problems this means that connections redirected with -Lx:host:port will be made from the root uid to host:port, since the first child does them. This means that when the target host does an ident query, it gets back only "root" and no indication of the actual user.

This has been reported as a bug; it is not known wether this will be fixed in a future release.

Next Chapter, Previous Chapter

Table of contents of this chapter, General table of contents

Top of the document, Beginning of this Chapter